SlideShare a Scribd company logo
1 of 78
Failures Of Security Industry In The Last Decade
Lessons Learned
From Hundreds of
Cyber Espionage Breaches
Sung-ting Tsai (TT), Chi-en Shen (Ashley)
Oct 29, 2015
Agenda
• Cyber Espionage Attacks In The Last decade
 APT Review
 Operation Eclipse
 Attacks Against The Whole World
• Failures of Security Industry
 Existing Solutions And How They Failed On APT Attacks
• Dealing with Cyber Espionage threats
 You Will Be Pwned, Sooner Or Later
 The Endless War
 Defense In Depth
 Case Study
• Conclusion
 Suggestions to Targeted Organizations
 Suggestions to Security Vendors
Sung-ting Tsai (TT)
CEO at Team T5 Inc.
• Frequent Black Hat conference speaker
• Vulnerability researcher and owner of several CVE ID
• 10+ years on security product development
• 8+ years experience on cyber threat research
• Organizer of HITCON (Hacks in Taiwan Security
Conference)
 tt@teamt5.org
Chi-en Shen (Ashley)
Senior Threat Analyst at Team T5 Inc.
• Malicious document, malware analysis, APT research
• Tracking several cyber espionage groups for years
• Core member and speaker of HITCON GIRLS.
• HITCON speaker
 ashley@teamt5.org
Team T5 Inc.
Found In
January 2013
Based In
Taipei
Website
https://www.teamt5.org
• Who We Are:
• Cyber threat intelligence, research, and service
provider.
• World-leading research on Asia Pacific cyber
espionage threats.
• What We Do:
• We monitor, analyze, and track cyber threats.
• Helping people to gain advantaged position facing
cyber threats.
• What We Provide:
• Threat research.
• Malware analysis service
• Incident response / Investigation
• Consulting service
• Team T5 tracks about 150+ malware families.
Malware Research
• Team T5 tracks about 60+ cyber espionage groups.
Campaign Tracking
Cyber Espionage Attacks
In The Last decade
APT Review
• APT has been popular in the security industry since around 2009
• Many solutions look fancy, however breaches keep happening.
• People spent a lot of budget to improve their fences, but the effectiveness of
these security products remains doubtful.
Operation Eclipse
Operation Eclipse (CloudyOmega  Emdivi)
Japan Pension Service Breach
• At least 27 PCs were infected
 Anti-virus software installed, but they didn't work.
• About 1.25 million pension service participants'
personal information leaked under this attack.
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
 The body of email claims the attachment includes a
medical receipt.
 Regarding the Review of the Employee's Pension
Fund (Draft)
Petroleum Association of Japan
• More than 3 PCs were infected
• Related data of requests regarding the petroleum policy
to the government
• About 250 files are leaked
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
 The body of email claims the attachment includes a
medical receipt.
National Health Insurance Association
• More than 4 PCs were infected
• About 1500 files are leaked
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
 The body of email claims the attachment includes a
medical receipt.
Targeting Sectors
Operation Eclipse Incident Number
At least 47 victims confirmed
by Team T5.
It doesn’t take a long time
• It could be just a few hours from infection to intrusion and data
leakage.
• Our observation shows that 80% of victims leak data in 5 hrs
after being compromised.
Reconnaissance Initial Intrusion Control Strengthen Data Exfiltration
5 hrs
10+ Years APT Attacks History of Taiwan
• Most of government agencies were either ever
compromised before or is still in adversary's control.
– i.e. Active Directory server was compromised.
• Related to ALL industries.
– ISP, military contractor, defense industry, political parties,
think tank organization, trade organization, university
professors, social network, e-commerce, employment
websites, online game.
• Get along with them peacefully?
– Clean all infection?
– Reinstall all endpoints?
APT Incidents Timeline
Attacks Against The Whole World
• Not only Taiwan and Japan, we monitored they are attacking the
whole world.
• Especially Asia pacific countries
Taiwan Government
Taiwan Government
Korea Corperation
India Energy Sector
Philippine Government
Vietnam Government
Mongolia Victim
Myanmar Victim
Thailand Government
Russia Government
Cyber espionage attack has been aware of for 10 years...
Do you have good strategy to defend?
Can you control the situation?
Failures of security industry
APT Solutions?
• When people are talking about APT solutions, they might be thinking
about one of following technologies:
• Anti-virus
• Sandbox
• Next Generation Firewall / Intrusion prevention system
• SIEM (Security Information and Event Management)
• Application Control
• Exploit Mitigation
• Incident Response Service
Anti-Virus?
• Gdrive RAT with 0/55
detection rate.
Anti-Virus?
• APT Actor testing
malware with VirusTotal
• APT Actor testing
malware with VirusTotal
Anti-Virus?
• It is easy to evade AV detection with very low cost.
Anti-Virus
Sandbox?
• Approaches to bypass sandbox
• Hardware and configurations
• CPU ID, quantity
• Device information
• Vmware backdoor I/O port
• Memory size
• Screen resolution
• VGA/Network Product
• System Environment
• Service
• System process
• Windows product serial number
• Installed software list
• Registry key
• Others
Hotfixs count
System up time
Mouse movement
Files count in temp folder
Desktop files count
Antivirus
• Anti-anti-sandbox?
• Patch Vmware string
• Patch start up time
• Patch processor
number
• Put more hotfix
• Change memory size
• ………
Host Name: ABC
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
System Manufacturer: VMware, Inc.
OS Build Type: Uniprocessor Free
Registered Owner: ABC
Original Install Date: 2/19/2014, 11:29:39 PM
System Boot Time: 8/18/2015, 3:13:02 PM
System Up Time: 0 Days, 0 Hours, 1 Minutes, 55 Seconds
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 2 Stepping 3 GenuineIntel ~2400 Mhz
System Manufacturer: QEMU
BIOS Version: Bochs Bochs, 1/1/2007
Total Physical Memory: 1,024 MB
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB958488
[03]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: Realtek RTL8139C+ Fast Ethernet NIC
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.180.51
Sandbox?
• Specially crafted
fake website.
Deliver malware
after entering
password.
Sandbox?
• Encrypted
attachment
Sandbox?
• Tons of ways to detect if it is running in a virtual environment.
NGFW / IPS?
• Normal, but encrypted traffic?
• Public cloud service as C2?
NGFW / IPS?
• Frequent changing C&C server
NGFW / IPS?
• Compromised
website as C2, safe
or dangerous?
Allow or deny?
NGFW / IPS?
NGFW / IPS?
• Most of APT malware traffic are either encoded or encrypted,
and C2 IP changed rapidly.
source: www.passivetotal.org
SIEM?
• Even with the most powerful SIEM, no detection means no visibility.
• Logs are useless without efficient rules.
Application Control?
• Low adoption rate, refused by IT teams.
• Trade-off between convenience and security?
• Can still be bypassed (ie. DLL Sideloading)
• Non-PE backdoor, i.e. script trojan
Exploit Mitigation?
• Great solution to defend.
• However, adoption rate is quite low, even for free EMET.
• Stability and compatibility.
• Decreasing amount of exploit attack.
Incident Response Service?
• One time service is difficult to solve “persistent” problems.
• It is not easy to clean up all infections completely.
• Attack will come right after the IR service.
• Service cost is usually not affordable for victims.
• Root causes are not easy to find.
• Probably you can find all malware, but where is the vulnerability?
• How to prevent next attack?
No Solutions to Social Engineering..
• Spear-phishing emails
with insurance fee
theme in Operation
Eclipse.
No Solutions to Social Engineering..
• The email might be
sent from your co-
workers.
Failures of security industry
• Security vendors don’t understand Cyber Espionage threats.
• Cyber espionage is not easy to observe without experience.
• It is hard to understand without stand at the front line (IR).
• How do you defend without knowing what is coming?
Failures of security industry
• Actors are quicker than
security vendors
• Actors change rapidly
according to vendor’s
latest techniques and
solutions.
• Actors rebuild malware
and apply C2 domain
specifically for their
target.
Failures of security industry
• Actors are quicker than security vendors
• Vendors keep collecting OLD samples / C2s after the attack, and making
signatures to detect OLD samples / C2s.
• Malware updates are always faster than security products.
Failures of security industry
• Ignorance of vulnerability
• Vulnerability plays a very important role
• Solutions to 0day?
• Too much vulnerabilities information.
• I.e. CloudyOmega deployed flash 0day (CVE 2015-5119) right after the Hacking
Team leak. 10+ organizations were compromised in a week.
Is CE attack complicated?
• CE attack is this simple:
Actor
Spear-phishing Emails
Attachment file
http://im.malicious.link Malicious link
CE is not just technical things
• You are not facing a malware or an attack technique.
• However, most of security vendors only care how to block an attack from
technical perspective.
• CE is your adversary, they are human.
• They adapt and change rapidly.
• Security vendors only react to attack techniques.
• Security vendors only provide software and machine.
• You need to learn their Tactics, Techniques, and Procedures (TTP).
Dealing with
Cyber Espionage threats
You Need to know...
• You will be pwned, sooner or later.
• If one single attack in a million times succeeded, you are compromised.
• So, just get ready for it. Be prepared.
• It is not all about defense, it also matters how fast you can mitigate the
incident.
You Need to know...
• Cyber Espionage is the
endless war
• Your adversary won’t stop.
• Be prepared for the war.
• “Know yourself and know
your enemy, and you will
never be defeated.” - Sunzi's
Art of War
You Need to know...
• Invest on people, not only software or hardware
• Your enemies are human. They are well-trained hackers. You cannot rely on
computer programs only.
• You need good security strategy to defend. Only people can make strategy.
• Build your CSIRT - have a dedicated security team.
• Don’t forget human weakness and social engineering .
Defense In Depth
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• SWAT
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
Case Study – A Taiwan Think Tank
• 500 researchers and assistants
• Doing policy research for 10+ government departments
• Targeted by 5+ different Cyber Espionage groups
• Active Directory server under 2 groups’ control
• Antivirus Update server 0day to install malware
2014-10 Team T5 Incident Respond
2014-11 T5 Suggested Defense Solution
2014-12 T5 Daily monitoring begin
2015-02 ~ No more CE incidents
Detect Stage
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• SWAT
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
Detect stage
• Gateway
• Web browsing => Proxy with Reputation blacklisting
• Email (attachment and link) => Spam + AV + Sandbox
• Endpoint
• Staff workstations
Memory forensics APT scanner
• Server-area
White-list only firewall rules
• Active Directory Firewall
Respond Stage
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• SWAT
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
• When bad things happened, we act as fast as possible to…
• Collect samples
• Analyze samples
• Generate indicators
• Detect with indicators
• Feedback to analyze (important)
• CE mitigation is a long-term task.
Mitigation cycle
Collect
Samples
Analyze
Sample
Generate
Indicators
/ Yara
Detect
with
Indicators
Feedback
Respond Stage
• Remote forensics agent
or on-site forensics
• Mitigation cycle
Collect
Samples
Analysis
Sample
Generate
Indicators
/ Yara
Detect with
Indicators
Research Stage
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
Research Stage
• More surveillance cameras, more screen playbacks.
• Collect data for retro-hunting research
• Syslog server
• Weblog server
• Passive DNS replication
• Netflow recording
• Full packet recording
Prevent Stage
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
Prevent Stage
• Consulting on IT Security budget
• Consulting on defense deployment strategy
• Consulting on choosing proper APT solutions, by doing PoC tests
• Building CSIRT team
• Building risk assessment criteria
• Building Threat Intelligence Program
Conclusion
Conclusion
• Security vendors’ technology are advanced, and elegant.
• However, actors usually bypass quickly with very low cost.
• Because they don’t understand actors well.
• Malware updates are always faster than security products.
• New protection features always gets bypassed within a few weeks.
Conclusion
• To cyber espionage targets:
• Face the threat. Prepare for long-term battle once it happened.
• Try as much as you can to secure your e-mail.
• Cyber espionage incident is hard to deal with. Make a long-term recovery plan.
• Build a CSIRT to fight with cyber war.
• To security vendors:
• Need to follow with cyber espionage actors.
• Not only for TTPs, but also campaign tracking.
• Please provide long-term service for cyber espionage victims.
Q&A
tt@teamt5.org
ashley@teamt5.org

More Related Content

What's hot

Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

What's hot (20)

Network security basics
Network security basicsNetwork security basics
Network security basics
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systems
 

Viewers also liked

2016-Cyber-Security-Report-visualization 07 MS
2016-Cyber-Security-Report-visualization 07 MS2016-Cyber-Security-Report-visualization 07 MS
2016-Cyber-Security-Report-visualization 07 MSTim Treacy
 
Cyber Espionage: Are You Being Hunted?
Cyber Espionage: Are You Being Hunted?Cyber Espionage: Are You Being Hunted?
Cyber Espionage: Are You Being Hunted?5 Minute Webinars
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiInsideView
 
Equation Group : Advanced Secretive Computer Espionage Group
Equation Group : Advanced Secretive Computer Espionage GroupEquation Group : Advanced Secretive Computer Espionage Group
Equation Group : Advanced Secretive Computer Espionage Groupanupriti
 
Fifth grade i spy 2015
Fifth grade i spy 2015Fifth grade i spy 2015
Fifth grade i spy 2015bowenlibrary
 
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949Thierry Debels
 
Terrorism Del 3
Terrorism Del 3Terrorism Del 3
Terrorism Del 3jwendell
 
Stay Behind in Deutschland LW
Stay Behind in Deutschland LWStay Behind in Deutschland LW
Stay Behind in Deutschland LWLuxemburger Wort
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Mikko Hypponen
 
Cypher technique
Cypher techniqueCypher technique
Cypher techniqueZubair CH
 
GHY101 Unit 3c Russia & the former Soviet Union
GHY101 Unit 3c Russia & the former Soviet UnionGHY101 Unit 3c Russia & the former Soviet Union
GHY101 Unit 3c Russia & the former Soviet UnionMark M. Miller
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Gianni Amato
 
Spies and secret codes gisela palenzuela
Spies and secret codes gisela palenzuelaSpies and secret codes gisela palenzuela
Spies and secret codes gisela palenzuelaJOSE LUIS
 
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...Peter Staal
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk   the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk   the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 

Viewers also liked (20)

2016-Cyber-Security-Report-visualization 07 MS
2016-Cyber-Security-Report-visualization 07 MS2016-Cyber-Security-Report-visualization 07 MS
2016-Cyber-Security-Report-visualization 07 MS
 
Cyber Espionage: Are You Being Hunted?
Cyber Espionage: Are You Being Hunted?Cyber Espionage: Are You Being Hunted?
Cyber Espionage: Are You Being Hunted?
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
 
Equation Group : Advanced Secretive Computer Espionage Group
Equation Group : Advanced Secretive Computer Espionage GroupEquation Group : Advanced Secretive Computer Espionage Group
Equation Group : Advanced Secretive Computer Espionage Group
 
Distribution Training
Distribution TrainingDistribution Training
Distribution Training
 
Fifth grade i spy 2015
Fifth grade i spy 2015Fifth grade i spy 2015
Fifth grade i spy 2015
 
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949
STAY-BEHIND ACTIVITIES IN BELGIUM - CIA DOC 1949
 
Crittografia
CrittografiaCrittografia
Crittografia
 
Terrorism Del 3
Terrorism Del 3Terrorism Del 3
Terrorism Del 3
 
Stay Behind in Deutschland LW
Stay Behind in Deutschland LWStay Behind in Deutschland LW
Stay Behind in Deutschland LW
 
Spies Power Point Mini
Spies Power Point MiniSpies Power Point Mini
Spies Power Point Mini
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
 
Cypher technique
Cypher techniqueCypher technique
Cypher technique
 
GHY101 Unit 3c Russia & the former Soviet Union
GHY101 Unit 3c Russia & the former Soviet UnionGHY101 Unit 3c Russia & the former Soviet Union
GHY101 Unit 3c Russia & the former Soviet Union
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016
 
Spies and secret codes gisela palenzuela
Spies and secret codes gisela palenzuelaSpies and secret codes gisela palenzuela
Spies and secret codes gisela palenzuela
 
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...
Lecture - Espionage by the Numbers: Introduction to Number Stations - Delft U...
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk   the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk   the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 

Similar to Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015

2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)neeraj.sihag
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of CybercrimeStephen Cobb
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security BreakfastRackspace
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 

Similar to Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015 (20)

Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber Security
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
File000119
File000119File000119
File000119
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of Cybercrime
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfMilind Agarwal
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130  Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130  Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130  Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130  Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌  8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌  8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130  Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130  Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130  Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130  Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌  8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌  8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in  Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in  Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 

Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015

  • 1. Failures Of Security Industry In The Last Decade Lessons Learned From Hundreds of Cyber Espionage Breaches Sung-ting Tsai (TT), Chi-en Shen (Ashley) Oct 29, 2015
  • 2. Agenda • Cyber Espionage Attacks In The Last decade  APT Review  Operation Eclipse  Attacks Against The Whole World • Failures of Security Industry  Existing Solutions And How They Failed On APT Attacks • Dealing with Cyber Espionage threats  You Will Be Pwned, Sooner Or Later  The Endless War  Defense In Depth  Case Study • Conclusion  Suggestions to Targeted Organizations  Suggestions to Security Vendors
  • 3. Sung-ting Tsai (TT) CEO at Team T5 Inc. • Frequent Black Hat conference speaker • Vulnerability researcher and owner of several CVE ID • 10+ years on security product development • 8+ years experience on cyber threat research • Organizer of HITCON (Hacks in Taiwan Security Conference)  tt@teamt5.org
  • 4. Chi-en Shen (Ashley) Senior Threat Analyst at Team T5 Inc. • Malicious document, malware analysis, APT research • Tracking several cyber espionage groups for years • Core member and speaker of HITCON GIRLS. • HITCON speaker  ashley@teamt5.org
  • 5. Team T5 Inc. Found In January 2013 Based In Taipei Website https://www.teamt5.org • Who We Are: • Cyber threat intelligence, research, and service provider. • World-leading research on Asia Pacific cyber espionage threats. • What We Do: • We monitor, analyze, and track cyber threats. • Helping people to gain advantaged position facing cyber threats. • What We Provide: • Threat research. • Malware analysis service • Incident response / Investigation • Consulting service
  • 6. • Team T5 tracks about 150+ malware families. Malware Research
  • 7. • Team T5 tracks about 60+ cyber espionage groups. Campaign Tracking
  • 8. Cyber Espionage Attacks In The Last decade
  • 9. APT Review • APT has been popular in the security industry since around 2009 • Many solutions look fancy, however breaches keep happening. • People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful.
  • 12. Japan Pension Service Breach • At least 27 PCs were infected  Anti-virus software installed, but they didn't work. • About 1.25 million pension service participants' personal information leaked under this attack. • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.  Regarding the Review of the Employee's Pension Fund (Draft)
  • 13. Petroleum Association of Japan • More than 3 PCs were infected • Related data of requests regarding the petroleum policy to the government • About 250 files are leaked • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.
  • 14. National Health Insurance Association • More than 4 PCs were infected • About 1500 files are leaked • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.
  • 16. Operation Eclipse Incident Number At least 47 victims confirmed by Team T5.
  • 17. It doesn’t take a long time • It could be just a few hours from infection to intrusion and data leakage. • Our observation shows that 80% of victims leak data in 5 hrs after being compromised. Reconnaissance Initial Intrusion Control Strengthen Data Exfiltration 5 hrs
  • 18. 10+ Years APT Attacks History of Taiwan • Most of government agencies were either ever compromised before or is still in adversary's control. – i.e. Active Directory server was compromised. • Related to ALL industries. – ISP, military contractor, defense industry, political parties, think tank organization, trade organization, university professors, social network, e-commerce, employment websites, online game. • Get along with them peacefully? – Clean all infection? – Reinstall all endpoints?
  • 20. Attacks Against The Whole World • Not only Taiwan and Japan, we monitored they are attacking the whole world. • Especially Asia pacific countries
  • 31. Cyber espionage attack has been aware of for 10 years... Do you have good strategy to defend? Can you control the situation?
  • 33. APT Solutions? • When people are talking about APT solutions, they might be thinking about one of following technologies: • Anti-virus • Sandbox • Next Generation Firewall / Intrusion prevention system • SIEM (Security Information and Event Management) • Application Control • Exploit Mitigation • Incident Response Service
  • 34. Anti-Virus? • Gdrive RAT with 0/55 detection rate.
  • 35. Anti-Virus? • APT Actor testing malware with VirusTotal
  • 36. • APT Actor testing malware with VirusTotal
  • 37. Anti-Virus? • It is easy to evade AV detection with very low cost. Anti-Virus
  • 38. Sandbox? • Approaches to bypass sandbox • Hardware and configurations • CPU ID, quantity • Device information • Vmware backdoor I/O port • Memory size • Screen resolution • VGA/Network Product • System Environment • Service • System process • Windows product serial number • Installed software list • Registry key • Others Hotfixs count System up time Mouse movement Files count in temp folder Desktop files count Antivirus
  • 39. • Anti-anti-sandbox? • Patch Vmware string • Patch start up time • Patch processor number • Put more hotfix • Change memory size • ……… Host Name: ABC OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 3 Build 2600 System Manufacturer: VMware, Inc. OS Build Type: Uniprocessor Free Registered Owner: ABC Original Install Date: 2/19/2014, 11:29:39 PM System Boot Time: 8/18/2015, 3:13:02 PM System Up Time: 0 Days, 0 Hours, 1 Minutes, 55 Seconds System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 2 Stepping 3 GenuineIntel ~2400 Mhz System Manufacturer: QEMU BIOS Version: Bochs Bochs, 1/1/2007 Total Physical Memory: 1,024 MB Hotfix(s): 3 Hotfix(s) Installed. [01]: KB2534111 [02]: KB958488 [03]: KB976902 Network Card(s): 1 NIC(s) Installed. [01]: Realtek RTL8139C+ Fast Ethernet NIC Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 192.168.180.51
  • 40. Sandbox? • Specially crafted fake website. Deliver malware after entering password.
  • 42. Sandbox? • Tons of ways to detect if it is running in a virtual environment.
  • 43. NGFW / IPS? • Normal, but encrypted traffic?
  • 44. • Public cloud service as C2? NGFW / IPS?
  • 45. • Frequent changing C&C server NGFW / IPS?
  • 46. • Compromised website as C2, safe or dangerous? Allow or deny? NGFW / IPS?
  • 47. NGFW / IPS? • Most of APT malware traffic are either encoded or encrypted, and C2 IP changed rapidly. source: www.passivetotal.org
  • 48. SIEM? • Even with the most powerful SIEM, no detection means no visibility. • Logs are useless without efficient rules.
  • 49. Application Control? • Low adoption rate, refused by IT teams. • Trade-off between convenience and security? • Can still be bypassed (ie. DLL Sideloading) • Non-PE backdoor, i.e. script trojan
  • 50. Exploit Mitigation? • Great solution to defend. • However, adoption rate is quite low, even for free EMET. • Stability and compatibility. • Decreasing amount of exploit attack.
  • 51. Incident Response Service? • One time service is difficult to solve “persistent” problems. • It is not easy to clean up all infections completely. • Attack will come right after the IR service. • Service cost is usually not affordable for victims. • Root causes are not easy to find. • Probably you can find all malware, but where is the vulnerability? • How to prevent next attack?
  • 52. No Solutions to Social Engineering.. • Spear-phishing emails with insurance fee theme in Operation Eclipse.
  • 53. No Solutions to Social Engineering.. • The email might be sent from your co- workers.
  • 54. Failures of security industry • Security vendors don’t understand Cyber Espionage threats. • Cyber espionage is not easy to observe without experience. • It is hard to understand without stand at the front line (IR). • How do you defend without knowing what is coming?
  • 55. Failures of security industry • Actors are quicker than security vendors • Actors change rapidly according to vendor’s latest techniques and solutions. • Actors rebuild malware and apply C2 domain specifically for their target.
  • 56. Failures of security industry • Actors are quicker than security vendors • Vendors keep collecting OLD samples / C2s after the attack, and making signatures to detect OLD samples / C2s. • Malware updates are always faster than security products.
  • 57. Failures of security industry • Ignorance of vulnerability • Vulnerability plays a very important role • Solutions to 0day? • Too much vulnerabilities information. • I.e. CloudyOmega deployed flash 0day (CVE 2015-5119) right after the Hacking Team leak. 10+ organizations were compromised in a week.
  • 58. Is CE attack complicated? • CE attack is this simple: Actor Spear-phishing Emails Attachment file http://im.malicious.link Malicious link
  • 59. CE is not just technical things • You are not facing a malware or an attack technique. • However, most of security vendors only care how to block an attack from technical perspective. • CE is your adversary, they are human. • They adapt and change rapidly. • Security vendors only react to attack techniques. • Security vendors only provide software and machine. • You need to learn their Tactics, Techniques, and Procedures (TTP).
  • 61. You Need to know... • You will be pwned, sooner or later. • If one single attack in a million times succeeded, you are compromised. • So, just get ready for it. Be prepared. • It is not all about defense, it also matters how fast you can mitigate the incident.
  • 62. You Need to know... • Cyber Espionage is the endless war • Your adversary won’t stop. • Be prepared for the war. • “Know yourself and know your enemy, and you will never be defeated.” - Sunzi's Art of War
  • 63. You Need to know... • Invest on people, not only software or hardware • Your enemies are human. They are well-trained hackers. You cannot rely on computer programs only. • You need good security strategy to defend. Only people can make strategy. • Build your CSIRT - have a dedicated security team. • Don’t forget human weakness and social engineering .
  • 64. Defense In Depth • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  • 65. Case Study – A Taiwan Think Tank • 500 researchers and assistants • Doing policy research for 10+ government departments • Targeted by 5+ different Cyber Espionage groups • Active Directory server under 2 groups’ control • Antivirus Update server 0day to install malware 2014-10 Team T5 Incident Respond 2014-11 T5 Suggested Defense Solution 2014-12 T5 Daily monitoring begin 2015-02 ~ No more CE incidents
  • 66. Detect Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  • 67. Detect stage • Gateway • Web browsing => Proxy with Reputation blacklisting • Email (attachment and link) => Spam + AV + Sandbox • Endpoint • Staff workstations Memory forensics APT scanner • Server-area White-list only firewall rules • Active Directory Firewall
  • 68. Respond Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  • 69. • When bad things happened, we act as fast as possible to… • Collect samples • Analyze samples • Generate indicators • Detect with indicators • Feedback to analyze (important) • CE mitigation is a long-term task. Mitigation cycle Collect Samples Analyze Sample Generate Indicators / Yara Detect with Indicators Feedback
  • 70. Respond Stage • Remote forensics agent or on-site forensics • Mitigation cycle Collect Samples Analysis Sample Generate Indicators / Yara Detect with Indicators
  • 71. Research Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  • 72. Research Stage • More surveillance cameras, more screen playbacks. • Collect data for retro-hunting research • Syslog server • Weblog server • Passive DNS replication • Netflow recording • Full packet recording
  • 73. Prevent Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  • 74. Prevent Stage • Consulting on IT Security budget • Consulting on defense deployment strategy • Consulting on choosing proper APT solutions, by doing PoC tests • Building CSIRT team • Building risk assessment criteria • Building Threat Intelligence Program
  • 76. Conclusion • Security vendors’ technology are advanced, and elegant. • However, actors usually bypass quickly with very low cost. • Because they don’t understand actors well. • Malware updates are always faster than security products. • New protection features always gets bypassed within a few weeks.
  • 77. Conclusion • To cyber espionage targets: • Face the threat. Prepare for long-term battle once it happened. • Try as much as you can to secure your e-mail. • Cyber espionage incident is hard to deal with. Make a long-term recovery plan. • Build a CSIRT to fight with cyber war. • To security vendors: • Need to follow with cyber espionage actors. • Not only for TTPs, but also campaign tracking. • Please provide long-term service for cyber espionage victims.

Editor's Notes

  1. Very simple example. This is a basic system information. Can you tell me is it in a sandbox? There are just too many information you can use to identify a sandbox. Of course security vendors want to improve this, they implement new techniques to anti-anti-sb. The cost to implement antianti is very high, but attackers can bypass again with very low cost tricks. If you are an attacker, do you think sandbox will give you many problems?